No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Notes
SPIProgrammer
Makefile
Readme.txt
assemblesettings.c
decompress_bootloader.sh
decompress_firmware.sh
disassemblesettings.c
extractmemorydump.c
repacksettings.c
unpacksettings.c

Readme.txt

SUPER HUB INTEGRATION TOOLS


The utilities in this package provide a comprehensive set of tools for manipulating the firmware and settings of
the Super Hub (VMDG480), also known as the Netgear CG3101D. As each modem contains unique settings and calibration
data it is not advisable to exchange permanent settings between modems. The calibration data within the permanent
settings area has been generated in the factory using a special rig. Using incorrect calibration data will cause
the measured and transmitted power levels to be inaccurate, and could cause the modem to interfere with other
devices on the network.
These utilities have been developed with the intention that they are used for "Legal Academic Purposes".
The utilities have been provided in source code form, and must be compiled in order to use them.

All source code is distributed under the terms of the GNU General Public Licence.

    This is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
	



SPIProgrammer
	This directory contains software and firmware and instructions for building your own SPI programmer
	to read/write data from/to the 8MB flash memory chip within the modem.

extractmemorydump
	This utility separates the individual components which comprise the firmware in the 8MB image file.
	These being:
	Bootloader
	Permanent Settings - Factory defaults, calibration data, certificates, per-device config eg MAC address
	Firmware Image1 - The software which runs on the router
	Firmware Image2 - A backup of the previous version of software (optional)
	Dynamic Settings - User configuration data, e.g. passwords, network configuraion, system logs etc...

unpacksettings
	This utility extracts the settings blocks from a 64k settings memory image obtained from extractmemorydump.
	It works with both dynamic and permanent settings memory images.
	Each time the modem writes to the settings area it will create a new settings block.
	If there is sufficient free space to fit the new settings block within the settings memory area,
	the new settings will be written without erasing the old settings.
	Therefore in one 64k settings memory image file, there may be more than one settings block.
	The modem always chooses the last (latest) valid settings block.
	This behaviour gives the modem the ability to survive an incomplete write e.g. power failure during write.
	Permanent and Dynamic settings are kept separate by storing them in different areas of the flash memory.
	Permanent and Dynamic settings should not be interchanged as they contain incompatible object types
	which the modem firmware will not understand.
	Dynamic settings blocks are substantially bigger than Permanent settings blocks, so much so that there is
	only enough room within the settings memory image to store one copy of the dynamic settings.
	This is a major design limitation because it removes the ability of the modem to survive an incomplete write
	to the Dynamic settings. As the dynamic settings contains event logs, the modem frequently updates this area of memory.
	Powering off the modem at the wrong time could cause the dynamic settings to be lost.
	Ever wondered why your SuperHub sometimes mysteriously looses its settings?
	The settings files generated by this tool are in the same file format as the SuperHub uses to download/upload
	settings via TFTP.

disassemblesettings
	This utility disassembles the individual settings objects from within the settings block file obtained from unpacksettings.
	Each settings object describes the settings for one subsystem of the modem.
	The settings objects are identified by a 4 byte magic string. This enables the modem firmware to detect what type of
	settings object it is reading, and what class should handle it.
	The disassemble settings utility creates a directory containing all of the settings objects, with one file per
	object, and names it with a .cobj. The filename contains a number indicating the index and the magic string.
	The index helps to preserve the settings object	order within the settings memory,
	though this is believed to be non-critical. The magic string helps you identify the settings object 
	in order to make alterations. Some magic strings contain non-printable characters. Where this is the case,
	two character hexadecimal representation is used instead of the non-printable character.
	Example "CMAp" = CableModemApplication Settings, "D0C20300" = DOCSIS 3.0 settings.

assemblesettings
	This utility is the complement of disassemblesettings. The settings objects are combined together,
	a checksum is calculated, and the settings block saved to the specified file name.
	The settings block can then either be downloaded to the modem via TFTP, or packed into a settings memory image using
	the repacksettings utility.
	Take care not to mix dynamic and permanent settings objects as they are not compatible,
	despite sometimes having the same magic strings.

repacksettings
	This utility is the complement of unpacksettings. It generates a settings memory image from
	the supplied list of settings blocks.
	As the superhub only uses the last valid settings block, this utility will, in most normal cases,
	be used to pack just a single settings block into a settings memory image.
	If however, there is a need to preserve older settings blocks, then this utility gives the option
	of storing multiple blocks.
	Note that only the latest valid block will be used.
	Also note that Dynamic settings are too big to have multiple settings blocks within the settings memory image.

decompress_bootloader.sh
	This shell script processes a bootloader file that was extracted using extractmemorydump. 
	It extracts the LZMA compressed data to a .lzma file, decompresses it using the lzma utility to a .decompressed file
	and then attempts to disassemble the machine code using objdump to a .asm file.
	Beware, this shell script is not very robust, it assumes a fixed offset for the start of the LZMA data.
	Note: It is normal to see a warning "Unexpected end of input"

decompress_firmware.sh
	This shell script takes a compressed firmware image file extracted using extractmemorydump.
	It extracts the LZMA compressed data to a .lzma file, decompresses it using the lzma utility to a .decompressed file
	and then attempts to disassemble the machine code using objdump to a .asm file.
	Beware, this shell script is not very robust, don't let it eat your data!
	Note: It is normal to see a warning "Unexpected end of input"




HOW-TO BUILD THE TOOLS

Prerequisites:
gcc
gputils - For SPI Programmer

Build commands:
make
cd SPIProgrammer
make

If the process is successful, there will be no error messages.
The compiled binaries now need to be manually copied to somewhere that is on the system path.




HOW-TO USE THE TOOLS

In this example, we will extract the firmware from a modem using the SPI programmer,
modify the settings to enable the serial console and telnet, then write the settings back using the SPI programmer.


First extract a full backup image of the whole EEPROM. This takes about 12 Minutes.
Ensure you see the line "Device ID 0x010216" displayed, otherwise there may be a communication 
fault between the EEPROM and the PIC.
spi_prog /dev/ttyUSB0 -r 0x000000 0x800000 my_modem.img
You should see the following output in the terminal:
Flushing buffers...
Handshake..
Query ID..
Device ID 0x010216
Reading data 0x00000000-0x00800000 (0x00800000)...


If this succeeds, you should have the following file:
my_modem.img       (8388608 bytes)

Verify that the file contains data using a hex editor:
00000000   0B F0 03 21  00 00 00 00  40 08 80 01  03 E0 88 21  ...!....@......!
00000010   00 08 24 02  04 11 00 0A  00 00 00 00  01 20 A0 21  ..$.......... .!
00000020   01 40 B0 21  00 08 21 C2  04 11 00 05  00 00 00 00  .@.!..!.........
00000030   01 20 A8 21  01 40 B8 21  02 20 00 08  00 00 00 00  . .!.@.!. ......
00000040   24 09 00 40  30 8A 01 C0  00 0A 51 82  01 49 48 04  $..@0.....Q..IH.
00000050   30 8A 00 38  00 0A 50 C2  11 40 00 09  00 00 00 00  0..8..P..@......
00000060   24 0B 00 02  01 4B 50 04  30 8B 00 07  21 6B 00 01  $....KP.0...!k..
00000070   71 69 48 02  71 2A 48 02  10 00 00 03  00 00 00 00  qiH.q*H.........

If this has succeeded, then you have successfully created a backup of the whole EEPROM,
which can be restored to at any point in the future if things go wrong. Keep the file safe!

Now extract the various firmware components using:
extractmemorydump my_modem.img 

This should produce the following output (or very similar):
0x000000 - 0x0062fc Bootloader:          0x0062FC bytes > my_modem.img.bootloader
0x010000 - 0x020000 Permanent Settings:  0x010000 bytes > my_modem.img.permanent
0x7f0000 - 0x800000 Dynamic Settings:    0x010000 bytes > my_modem.img.dynamic


Image 1 Program Header:
   Signature: a0e7
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2012/5/28 10:59:34 Z
 File Length: 3296519 bytes
Load Address: 80004000
    Filename: CG3101D_2VGUKS_V5.5.5R36_D30RG11u_20120528.bin
         HCS: 69b0
         CRC: 8cad7588
0x020000 - 0x344d63 Image 1:    0x324D63 bytes > my_modem.img.image_0x020000

You should now have the following files new files:

my_modem.img.bootloader       (  25340 bytes)
my_modem.img.permanent        (  65536 bytes)
my_modem.img.image_0x020000   (3296611 bytes)
my_modem.img.dynamic          (  65536 bytes)

The file size of the main firmware image will vary with firmware version.

Now extract the dynamic settings area using:
unpacksettings my_modem.img.dynamic 

This should produce the following output:
Parameter Block Size:  0x00010000
Allocated Block Count: 0xfffffffe (1 blocks allocated)

0x00CA Settings Block 0:
  Length: 0x0000ed79
  CRC:    0x0f740199
  Checksum is valid
  Writing to file "my_modem.img.dynamic.param_00"

Here only one settings block was found because this was the dynamic settings area.
You should now have the following new file:

my_modem.img.dynamic.param_00  (60793 bytes)

Now disassemble the settings block using:
disassemblesettings my_modem.img.dynamic.param_00 

This should produce the following output:

File:   my_modem.img.dynamic.param_00
Length: 0x0000ed79
CRC:    0x0f740199
Object: 000  Addr: 0x000008  Size:    12  Magic: CMAp     > 'my_modem.img.dynamic.param_00_settings/000_CMAp.cobj'
Object: 001  Addr: 0x000014  Size:    90  Magic: MLog     > 'my_modem.img.dynamic.param_00_settings/001_MLog.cobj'
Object: 002  Addr: 0x00006e  Size:     9  Magic: F2A1F61F > 'my_modem.img.dynamic.param_00_settings/002_F2A1F61F.cobj'
Object: 003  Addr: 0x000077  Size:   666  Magic: 8021     > 'my_modem.img.dynamic.param_00_settings/003_8021.cobj'
Object: 004  Addr: 0x000311  Size:     8  Magic: 802S     > 'my_modem.img.dynamic.param_00_settings/004_802S.cobj'
Object: 005  Addr: 0x000319  Size:    12  Magic: FACT     > 'my_modem.img.dynamic.param_00_settings/005_FACT.cobj'
Object: 006  Addr: 0x000325  Size:    43  Magic: bpi20    > 'my_modem.img.dynamic.param_00_settings/006_bpi20.cobj'
Object: 007  Addr: 0x000350  Size:    39  Magic: bpih     > 'my_modem.img.dynamic.param_00_settings/007_bpih.cobj'
Object: 008  Addr: 0x000377  Size:    28  Magic: D0C20100 > 'my_modem.img.dynamic.param_00_settings/008_D0C20100.cobj'
Object: 009  Addr: 0x000393  Size:    18  Magic: D0C20300 > 'my_modem.img.dynamic.param_00_settings/009_D0C20300.cobj'
Object: 010  Addr: 0x0003a5  Size:  1589  Magic: CMEV     > 'my_modem.img.dynamic.param_00_settings/010_CMEV.cobj'
Object: 011  Addr: 0x0009da  Size:  1060  Magic: snmp     > 'my_modem.img.dynamic.param_00_settings/011_snmp.cobj'
Object: 012  Addr: 0x000dfe  Size:     8  Magic: DnSt     > 'my_modem.img.dynamic.param_00_settings/012_DnSt.cobj'
Object: 013  Addr: 0x000e06  Size:     8  Magic: DnS1     > 'my_modem.img.dynamic.param_00_settings/013_DnS1.cobj'
Object: 014  Addr: 0x000e0e  Size:     8  Magic: UpSt     > 'my_modem.img.dynamic.param_00_settings/014_UpSt.cobj'
Object: 015  Addr: 0x000e16  Size:     8  Magic: UpS1     > 'my_modem.img.dynamic.param_00_settings/015_UpS1.cobj'
Object: 016  Addr: 0x000e1e  Size:     8  Magic: UpS2     > 'my_modem.img.dynamic.param_00_settings/016_UpS2.cobj'
Object: 017  Addr: 0x000e26  Size:     8  Magic: UpS3     > 'my_modem.img.dynamic.param_00_settings/017_UpS3.cobj'
Object: 018  Addr: 0x000e2e  Size:     8  Magic: Ppan     > 'my_modem.img.dynamic.param_00_settings/018_Ppan.cobj'
Object: 019  Addr: 0x000e36  Size:   174  Magic: RSTL     > 'my_modem.img.dynamic.param_00_settings/019_RSTL.cobj'
Object: 020  Addr: 0x000ee4  Size: 32289  Magic: Ntgr     > 'my_modem.img.dynamic.param_00_settings/020_Ntgr.cobj'
Object: 021  Addr: 0x008d05  Size:   123  Magic: PRNT     > 'my_modem.img.dynamic.param_00_settings/021_PRNT.cobj'
Object: 022  Addr: 0x008d80  Size:    55  Magic: PS0DV    > 'my_modem.img.dynamic.param_00_settings/022_PS0DV.cobj'
Object: 023  Addr: 0x008db7  Size:  1726  Magic: CAP2E    > 'my_modem.img.dynamic.param_00_settings/023_CAP2E.cobj'
Object: 024  Addr: 0x009475  Size:  1545  Magic: CDP2E    > 'my_modem.img.dynamic.param_00_settings/024_CDP2E.cobj'
Object: 025  Addr: 0x009a7e  Size:    53  Magic: CSP2E    > 'my_modem.img.dynamic.param_00_settings/025_CSP2E.cobj'
Object: 026  Addr: 0x009ab3  Size:  3179  Magic: RG2E2E   > 'my_modem.img.dynamic.param_00_settings/026_RG2E2E.cobj'
Object: 027  Addr: 0x00a71e  Size:  1806  Magic: cmp2E    > 'my_modem.img.dynamic.param_00_settings/027_cmp2E.cobj'
Object: 028  Addr: 0x00ae2c  Size:  1162  Magic: CHEV     > 'my_modem.img.dynamic.param_00_settings/028_CHEV.cobj'
Object: 029  Addr: 0x00b2b6  Size:    18  Magic: CQP2     > 'my_modem.img.dynamic.param_00_settings/029_CQP2.cobj'
Object: 030  Addr: 0x00b2c8  Size: 11267  Magic: FIRE     > 'my_modem.img.dynamic.param_00_settings/030_FIRE.cobj'
Object: 031  Addr: 0x00decb  Size:    15  Magic: VPNG     > 'my_modem.img.dynamic.param_00_settings/031_VPNG.cobj'
Object: 032  Addr: 0x00deda  Size:    30  Magic: PPPS     > 'my_modem.img.dynamic.param_00_settings/032_PPPS.cobj'
Object: 033  Addr: 0x00def8  Size:  3654  Magic: WiGu     > 'my_modem.img.dynamic.param_00_settings/033_WiGu.cobj'
Object: 034  Addr: 0x00ed3e  Size:    59  Magic: ERT2E    > 'my_modem.img.dynamic.param_00_settings/034_ERT2E.cobj'

A new directory should have been created:
my_modem.img.dynamic.param_00_settings  (Directory containing 35 objects)

The number of object files will vary depending on what firmware version is installed, and what previous
firmware versions have been installed.

We now need to make alterations to activate the serial console, to enable remote management, and to activate telnet support on the LAN side.
Edit the files below in this case 020_Ntgr.cobj using a hex editor.
Make the changes as indicated by the * characters in the following tables


(1) Enable serial console: (Ntgr.cobj)
Serial Console Disabled:
0000 26A0: 00 00 FF 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........  
0000 26B0: 00 00 00 00*00*C1 C1 C1  C1 00 FF FF FF FF FF FF  ........ ........  ******
0000 26C0: FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF  ........ ........  
Serial Console Enabled:
0000 26A0: 00 00 FF 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........  
0000 26B0: 00 00 00 00*04*C1 C1 C1  C1 00 FF FF FF FF FF FF  ........ ........  ******
0000 26C0: FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF  ........ ........  

(2) Enable Remote Management: (Ntgr.cobj)
Remote Management:
0000 1420: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........  
0000 1430: 00 00 00 00 00 87 07*12* 17 00 00 00 50 00 00 00  ........ ....P...  ***** 
0000 1440: 50 00 00 1F 90 00 00 00  50 01 61 64 6D 69 6E 00  P....... P.admin.  
0000 1450: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........  
0000 1460: 00 00 00 00 00 00 00 00  00 63 68 61 6E 67 65 6D  ........ .changem  
0000 1470: 65 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  e....... ........  
0000 1480: 00 00 00 00 00 00 00 00  00 00 00 02*00*17 00 00  ........ ........  *****
0000 1490: 00 17 00 00 00 17 00 00  00 17 00 00 00 17 01 61  ........ .......a  
0000 14A0: 64 6D 69 6E 00 00 00 00  00 00 00 00 00 00 00 00  dmin.... ........  
0000 14B0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 63 68  ........ ......ch  
0000 14C0: 61 6E 67 65 6D 65 00 00  00 00 00 00 00 00 00 00  angeme.. ........  
0000 14D0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........  
0000 14E0: 02*00*17 00 00 01 BB 00  00 01 BB 00 00 01 BB 00  ........ ........  *****
0000 14F0: 00 01 BB 01 61 64 6D 69  6E 00 00 00 00 00 00 00  ....admi n.......  
0000 1500: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........  
0000 1510: 00 00 00 63 68 61 6E 67  65 6D 65 00 00 00 00 00  ...chang eme.....  
0000 1520: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........  


Change the byte indicated in accordance with the following bit mapping:
01 = CM Port Enabled
04 = WAN port enabled
10 = LAN port enabled

e.g. for Remote management via LAN and CM port only, use 0x01 + 0x10 = 0x11
Remote management is configured separately for three different services in the following order;
HTTP
TELNET
HTTPS
Notice in the hex editor how the username/password repeat 3 times. You will need to locate the
byte indicated between the * characters above, and make the appropriate change to activate remote
management.

(3) Enable Telnet: (MLog.cobj)
Telnet Disabled:
0000 0010: 73 65 72 00 04 31 32 33  34 00 03 4D 53 4F 00 08  ser..123 4..MSO..  
0000 0020: 63 68 61 6E 67 65 6D 65 *00*61 64 6D 69 6E 00 00  changeme .admin..  *******
0000 0030: 00 00 00 00 00 00 00 00  00 70 61 73 73 77 6F 72  ........ .passwor  
Telnet Enabled:
0000 0010: 73 65 72 00 04 31 32 33  34 00 03 4D 53 4F 00 08  ser..123 4..MSO..  
0000 0020: 63 68 61 6E 67 65 6D 65 *01*61 64 6D 69 6E 00 00  changeme .admin..  *******
0000 0030: 00 00 00 00 00 00 00 00  00 70 61 73 73 77 6F 72  ........ .passwor  


Now we must reverse the data extraction procedure to reprogram the new settings.

assemblesettings my_modem.img.dynamic.param_00_settings/*.cobj my_modem.img.dynamic.param_00_modified

This should produce the following output:

Reading:   my_modem.img.dynamic.param_00_settings/000_CMAp.cobj
Reading:   my_modem.img.dynamic.param_00_settings/001_MLog.cobj
Reading:   my_modem.img.dynamic.param_00_settings/002_F2A1F61F.cobj
Reading:   my_modem.img.dynamic.param_00_settings/003_8021.cobj
Reading:   my_modem.img.dynamic.param_00_settings/004_802S.cobj
Reading:   my_modem.img.dynamic.param_00_settings/005_FACT.cobj
Reading:   my_modem.img.dynamic.param_00_settings/006_bpi20.cobj
Reading:   my_modem.img.dynamic.param_00_settings/007_bpih.cobj
Reading:   my_modem.img.dynamic.param_00_settings/008_D0C20100.cobj
Reading:   my_modem.img.dynamic.param_00_settings/009_D0C20300.cobj
Reading:   my_modem.img.dynamic.param_00_settings/010_CMEV.cobj
Reading:   my_modem.img.dynamic.param_00_settings/011_snmp.cobj
Reading:   my_modem.img.dynamic.param_00_settings/012_DnSt.cobj
Reading:   my_modem.img.dynamic.param_00_settings/013_DnS1.cobj
Reading:   my_modem.img.dynamic.param_00_settings/014_UpSt.cobj
Reading:   my_modem.img.dynamic.param_00_settings/015_UpS1.cobj
Reading:   my_modem.img.dynamic.param_00_settings/016_UpS2.cobj
Reading:   my_modem.img.dynamic.param_00_settings/017_UpS3.cobj
Reading:   my_modem.img.dynamic.param_00_settings/018_Ppan.cobj
Reading:   my_modem.img.dynamic.param_00_settings/019_RSTL.cobj
Reading:   my_modem.img.dynamic.param_00_settings/020_Ntgr.cobj
Reading:   my_modem.img.dynamic.param_00_settings/021_PRNT.cobj
Reading:   my_modem.img.dynamic.param_00_settings/022_PS0DV.cobj
Reading:   my_modem.img.dynamic.param_00_settings/023_CAP2E.cobj
Reading:   my_modem.img.dynamic.param_00_settings/024_CDP2E.cobj
Reading:   my_modem.img.dynamic.param_00_settings/025_CSP2E.cobj
Reading:   my_modem.img.dynamic.param_00_settings/026_RG2E2E.cobj
Reading:   my_modem.img.dynamic.param_00_settings/027_cmp2E.cobj
Reading:   my_modem.img.dynamic.param_00_settings/028_CHEV.cobj
Reading:   my_modem.img.dynamic.param_00_settings/029_CQP2.cobj
Reading:   my_modem.img.dynamic.param_00_settings/030_FIRE.cobj
Reading:   my_modem.img.dynamic.param_00_settings/031_VPNG.cobj
Reading:   my_modem.img.dynamic.param_00_settings/032_PPPS.cobj
Reading:   my_modem.img.dynamic.param_00_settings/033_WiGu.cobj
Reading:   my_modem.img.dynamic.param_00_settings/034_ERT2E.cobj

Length:    0x0000ed79
Checksum:  0x0f740199
Writing:   my_modem.img.dynamic.param_00_modified

Note: Your checksum will be different to the one shown above, and should be different from the original checksum.
You should now have the following new file:

my_modem.img.dynamic.param_00_modified (60793 Bytes)

Note: The size may be different from shown above, but should be identical to the original file size.

Now rebuild the dynamic settings memory image:

repacksettings my_modem.img.dynamic.param_00_modified my_modem.img.dynamic_modified

This should produce the following output:

Block 00, Opening my_modem.img.dynamic.param_00_modified
Blocksize: 0x00010000
Block 00, Bytes Read: 0x0000ed79
Writing to: my_modem.img.dynamic_modified

You should now have the following new file:

my_modem.img.dynamic_modified (65536 Bytes)

Now program the dynamic settings back to the EEPROM:

spi_prog /dev/ttyUSB0 -w 0x7F0000 my_modem.img.dynamic_modified

This should produce the following output:

Flushing buffers...
Handshake..
Query ID..
Device ID 0x010216
Erasing 0x007f0000-0x007fffff (0x00010000)...
Writing data 0x007f0000-0x00800000 (0x00010000)...

That's it boot up your modem, and you should have telnet and serial console access.